BIP-IP resets HTTPS connections

Are you saying that the server sends a redirect to have the client talk to it on port 7002, or that the BIG-IP accepts 443 from the client and sends the traffic to servers listening on port 7002?

My understanding is that the backend server sends a redirect to have the client talk to the application via port 7002. If I access the server directly, the initial request is: https://snverapp3.ext.videotron.com. But when I want to access the application on the backend server, I have to type https://snverapp3.ext.videotron.com/ultra/. I then receive a redirected page of https://snverapp3.ext.videotron.com:7002/wfo/control/signin?screen=DIRECT_TO_INTEGRATION&integrationURL=https%3a%2f%2fsnverapp3.ext.videotron.com%3a443%2fultra%3f__internal_mthd%3dGET with a login screen.

But when I go through the BIG-IP: https://testverint.ext.videotron.com/ultra, I get a ERR_CONNECTION_RESET message from the browser.

How is your VIP set up? Can you paste in your configuration? Both the VIP and the pool if you would. If I had to guess, either the VIP is set up to only listen on 443 or the pool is set up to only send traffic to the back end servers on 443. Or, you're trying to terminate SSL for non SSL traffic. Hard to tell without the config. If you paste the config here, more than happy to take a look.

Also, F5 has some nice RST debugging. Check out this link

http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html

ltm pool P-TESTVERINT-443 { members { SNVERAPP1:https { address 172.29.242.185 monitor MON-REC-IIS session user-disabled state up } SNVERAPP3:https { address 172.29.242.186 session monitor-enabled state up } } monitor MON-REC-IIS } ltm pool P-TESTVERINT-7002 { members { SNVERAPP1:afs3-prserver { address 172.29.242.185 monitor MON-REC-WEBLOGIC session user-disabled state up } SNVERAPP3:afs3-prserver { address 172.29.242.186 session monitor-enabled state up } } monitor MON-REC-WEBLOGIC }

ltm monitor https MON-REC-IIS { cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https description "Monitoring Recorder (Verint) IIS" destination *:https interval 5 send "GET /\r\n\r\n" time-until-up 0 timeout 16 } ltm monitor https MON-REC-WEBLOGIC { cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https description "Monitoring Recorder (Verint) WebLogic" destination *:afs3-prserver interval 5 recv "200 OK" send "GET /wfo/control/appTest\r\n\r\n" time-until-up 0 timeout 16 }

ltm snatpool VIP-TESTVERINT { app-service none description none members { 172.29.243.27 } partition Common }

ltm snat-translation 172.29.243.27 { address 172.29.243.27 app-service none arp enabled connection-limit 0 description none enabled inherited-traffic-group true ip-idle-timeout indefinite partition Common tcp-idle-timeout indefinite traffic-group traffic-group-1 udp-idle-timeout indefinite unit 1 }

ltm virtual VS-TESTVERINT-443 { app-service none auth none auto-lasthop default bwc-policy none clone-pools none cmp-enabled yes connection-limit 0 description none destination 172.29.243.27:https enabled fallback-persistence none gtm-score 0 http-class none ip-protocol tcp last-hop-pool none mask 255.255.255.255 metadata none mirror disabled nat64 disabled partition Common persist none pool P-TESTVERINT-443 profiles { CSSL-TESTVERINT { context clientside } serverssl { context serverside } tcp { context all } } rate-class none rate-limit disabled rate-limit-dst-mask 0 rate-limit-mode object rate-limit-src-mask 0 related-rules none rules none security-log-profiles none source 0.0.0.0/0 source-address-translation { pool VIP-TESTVERINT type snat } source-port preserve syn-cookie-status not-activated traffic-classes none translate-address enabled translate-port enabled vlans none vlans-disabled } ltm virtual VS-TESTVERINT-7002 { app-service none auth none auto-lasthop default bwc-policy none clone-pools none cmp-enabled yes connection-limit 0 description none destination 172.29.243.27:afs3-prserver enabled fallback-persistence none gtm-score 0 http-class none ip-protocol tcp last-hop-pool none mask 255.255.255.255 metadata none mirror disabled nat64 disabled partition Common persist none pool P-TESTVERINT-7002 profiles { CSSL-TESTVERINT { context clientside } serverssl { context serverside } tcp { context all } } rate-class none rate-limit disabled rate-limit-dst-mask 0 rate-limit-mode object rate-limit-src-mask 0 related-rules none rules none security-log-profiles none source 0.0.0.0/0 source-address-translation { pool VIP-TESTVERINT type snat } source-port preserve syn-cookie-status not-activated traffic-classes none translate-address enabled translate-port disabled vlans none vlans-disabled }

I don't see it above, but with everything else being set up to match, I'm going to assume that pool P-TESTVERINT-7002 is set up to take traffic on tcp 7002. And I'm going to assume that you have another https monitor for 7002 that's passing for that pool as well. If all that is good to go, I would lean toward the RST debugging in the SOL that I pasted above.

Yes I do have a monitor configured for port 7002. Here is the log I have: Mar 19 10:07:42 VTI-PIE5-LB03 warning tmm[9052]: 01260017:4: Connection attempt to insecure SSL server (see RFC5746) aborted: 172.29.242.186:7002 Mar 19 10:07:42 VTI-PIE5-LB03 err tmm[9052]: 01230140:3: RST sent from 172.29.243.27:7002 to 172.26.222.169:3256, [0x17275e9:1588] {peer} SSL error (handshake_failure(40)) Mar 19 10:07:42 VTI-PIE5-LB03 err tmm[9052]: 01230140:3: RST sent from 172.29.243.27:3256 to 172.29.242.186:7002, [0x17275e9:1588] SSL error (handshake_failure(40)) Mar 19 10:07:42 VTI-PIE5-LB03 err tmm[9052]: 01230140:3: RST sent from 172.29.243.27:3256 to 172.29.242.186:7002, [0x16b6494:1301] TCP 3WHS rejected Mar 19 10:07:42 VTI-PIE5-LB03 warning tmm[9052]: 01260017:4: Connection attempt to insecure SSL server (see RFC5746) aborted: 172.29.242.186:7002 Mar 19 10:07:42 VTI-PIE5-LB03 err tmm[9052]: 01230140:3: RST sent from 172.29.243.27:7002 to 172.26.222.169:3257, [0x17275e9:1588] {peer} SSL error (handshake_failure(40)) Mar 19 10:07:42 VTI-PIE5-LB03 err tmm[9052]: 01230140:3: RST sent from 172.29.243.27:3257 to 172.29.242.186:7002, [0x17275e9:1588] SSL error (handshake_failure(40)) Mar 19 10:07:42 VTI-PIE5-LB03 info tmm[9052]: 01230140:6: Per-invocation log rate exceeded; throttling.

http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13860

Looks like a back end server issue. Give this a shot and see what happeneds.

Recommended Actions

F5 recommends upgrading the back-end SSL server to a 
version that includes support for RFC5746.

Note: If upgrading the back-end SSL server is not an 
option, you can set the Secure Renegotiation setting 
in the Server SSL profile to Request, which will allow 
the back-end SSL server to continue to renegotiate 
insecurely.

Thanks for your input. I will verify with people managing the backend servers.

Best regards,

There is a note giving an alternative Note: If upgrading the back-end SSL server is not an option, you can set the Secure Renegotiation setting in the Server SSL profile to Request, which will allow the back-end SSL server to continue to renegotiate insecurely. How can I configure this?

It's in the SSL server profile configuration that's applied to the virtual server.